General

  • Target

    8f7b89ac3df5f91ba144a8dbe04d744967e87708be7f80c8badc7708160bd06e

  • Size

    115KB

  • Sample

    240909-aqrt9ssgkr

  • MD5

    5dd531f9477064411cf7c72617045f7d

  • SHA1

    52e3cc9c8b603bcfed5db6ebab09dd775f07c6aa

  • SHA256

    8f7b89ac3df5f91ba144a8dbe04d744967e87708be7f80c8badc7708160bd06e

  • SHA512

    d596d06708410189ce2c862581604fe50acd85d767b3b9d1ad2b5bdeef939b5b5e301f7abc1e154db4474a04bc78ee20c609645ebaf0a3f5dd8b9fc0f1f80b15

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMmG:P5eznsjsguGDFqGZ2rB

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      8f7b89ac3df5f91ba144a8dbe04d744967e87708be7f80c8badc7708160bd06e

    • Size

      115KB

    • MD5

      5dd531f9477064411cf7c72617045f7d

    • SHA1

      52e3cc9c8b603bcfed5db6ebab09dd775f07c6aa

    • SHA256

      8f7b89ac3df5f91ba144a8dbe04d744967e87708be7f80c8badc7708160bd06e

    • SHA512

      d596d06708410189ce2c862581604fe50acd85d767b3b9d1ad2b5bdeef939b5b5e301f7abc1e154db4474a04bc78ee20c609645ebaf0a3f5dd8b9fc0f1f80b15

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMmG:P5eznsjsguGDFqGZ2rB

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks